Hi there fellow geeks!
Azure Private Link is becoming a frequent topic of discussion among peers and my customers. One of the often discussed topics is how to handle DNS with Private Link Endpoints. I spent the past few days deep diving into the documentation and doing some labbing to better understand what the patterns and gotchas were. There seemed to be enough value to the findings to share it with you all.
Before I dive into the guts of Private Link Endpoints, I want to spend a post walking through how Private Link came to be.
Last September Microsoft released the Azure Private Link service. One of the primary drivers behind the introduction of the service was to address the customer demand for secure and private connectivity to Azure services such as Azure SQL and Azure Storage as well as third-party services. Azure PaaS services used to be accessible only via public IP addresses which required a path out to the Internet. From a network security perspective, your only option to use the firewall feature built into many of the services to filter the IPs allowed to communicate with the service. While technically feasible, there had to be something better.
The first attempt at something better was Service Endpoints, which started to be introduced into general availability in February 2018. For you AWS folk, the Service Endpoints are probably closest to VPC Gateway Endpoints. Service Endpoints attempted to improve the experience of accessing the services from a VNet (virtual network) by providing a direct route for resources in a VNet (virtual network) to Azure services in order to optimize routing. To mitigate the risk of the service being accessible over an public IP, Service Endpoints also added an identity to the VNet. This allowed customers to expand context of the filtering being done by the service firewall beyond IP to the identity of the VNet containing resources that need to access the relevant service.
While Service Endpoints made some great improvements there was more work to be done. Service Endpoints did nothing to mitigate the risk of data exfiltration. If an attacker was able to compromise a VM (virtual machine) in your VNet, that attacker could use that optimized route to their advantage piping whatever data they were able to get access to out to an attacker controlled instance of the resource such as an Azure Storage Account. Service Endpoint policies were then introduced to help address this risk.
Well that’s great an all, but Service Endpoints did nothing to address accessing Azure services from outside the VNet such as from an on-premises data center or another public cloud. Customers were still stuck accessing the services over the Internet or using an ExpressRoute using Microsoft Peering. Wouldn’t it be great there was a service with all of those features?
In comes Azure Private Link to the rescue. Azure Private Link includes the concept of an Azure Private Link Service and Private Link Endpoint. Those of you coming from AWS, yeah, I’ll let you guess which AWS service this is like :-). I won’t be covering Private Link Services in this series beyond saying it’s way to build your own third party services and make them directly accessible from a customer VNet. Instead we’ll keep our focus on Private Link Endpoints, specifically in the context of Microsoft-provided services.
The Private Link services introduces two new features that seek to address the gaps Service Endpoints did not and to include features from Service Endpoints that were beneficial. These features are:
- Private access to services running on the Azure platform through the provisioning of a virtual network interface within the customer VNet that is assigned one of the VNet IP addresses from the RFC1918 address space.
- Makes the services accessible over private IP space to resources running outside of Azure such as machines running in an on-premises data center or virtual machines running in other clouds.
- Protects against data exfiltration by the endpoint providing access to only a specific instance of a PaaS service.
As you can see from the above, the service solves a lot of problems and is going to be a necessary component of any Azure footprint. Now when it comes to design and implementation, there are some options as to how you use DNS to resolve the name of the service resource being exposed by the endpoint to the private IP address of the Private Link Endpoint. This is what I’ll be focusing on for this series.
In the next post I’ll walk you through what happens within Azure DNS when you create a Private Link endpoint, some patterns you can use for DNS resolution, and some of the gotchas.
The series is continued in my second post.